Policy Approval Authority | President |
Responsible Division | Division of Administration and Finance |
Responsible Officer(s) | Vice President for Administration and Finance and Chief Financial Officer |
Contact Person | George Middlemist |
Primary Audience |
Faculty
Staff |
Date Submitted to Policy Library | 05-13-2020 |
Status | Active |
Adoption Date | 06-01-2020 |
Policy Category/Categories |
Governance / Administration
Information Technology |
Federal and State Law
Definitions
Scope
Implementation Procedures
Compliance
In order to increase the efficiency and effectiveness of NIU operations that require or request signatures to indicate approvals or acknowledgements, NIU may accept electronic signatures to replace previously required handwritten original signatures on paper documents.
To the fullest extent permitted by law, NIU accepts electronic signatures as legally binding and equivalent to handwritten signatures to signify agreement or approval. This policy establishes the process for designating transactions that can legally accept electronic signatures and how NIU will accept and verify electronic signatures. Where nonrepudiation of the authenticity of a particular signature is required, a digital signature, as defined below, may be required.
Enacted to aid and encourage electronic commerce, the federal Electronic Signatures in Global and National Commerce Act (PDF) of June 2000 states that “With respect to any transaction affecting interstate or foreign commerce . . . a contract . . . may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation. [15 USC § 7001(a)(2)].
The Illinois Electronic Commerce Security Act (Illinois Act or ECSA) of 1998 [5 ILCS 175] also seeks to facilitate and promote electronic commerce and says that where an existing law requires a signature, then an electronic signature satisfies that rule of law [5 ILCS 175/5-120(a)].
NIU defines an electronic signature in the similar way defined by E-Sign Act or Illinois Electronic Commerce Act.
E-SIGN defines an electronic signature as:
The Illinois Act defines an electronic signature as a “signature in electronic form attached to or logically associated with an electronic record.” Furthermore, an “electronic signature may be proved in any manner, including by showing that a procedure existed by which a party must of necessity have executed a . . . security procedure for the purpose of verifying that an electronic record is that of such party in order to proceed further with a transaction.” [5 ILCS 175/10-110]. An electronic signature is secured, for example, when it can be verified that an electronic record has not been altered since a specified point in time. [5 ILCS 175/10-105]
A digital signature is a type of electronic signature, specifically defined by the Illinois Act as “a type of electronic signature that is created by transforming an electronic record . . . and encrypting the resulting transformation with an asymmetric cryptophytes using the signer's private key . . . and the signer's corresponding public key.”
A digital signature is, by definition, considered to be a security procedure [5 ILCS 175/15- 10], but it is not the only acceptable security procedure that may be used to prove an electronic signature.
By definition, all digital signatures are electronic signatures, but not all electronic signatures are digital signatures.
In the context of information security, data classification is based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.
Public Data: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information, and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data. Public data typically rates low in most or all risk categories.
Private Data: Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.
Restricted Data: Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data. Restricted data generally requires a high risk in one or more categories.
Check Data Classification Guidelines and Procedures for more details.
Wherever possible, NIU encourages that members of its community do business electronically and use electronic signatures to conduct transactions that may have previously required handwritten signatures on paper documents.
Where a transaction requires that the authenticity of the signer be more rigorously proven and where the party to the contract or transaction cannot legally repudiate the authenticity of their signature on a document, then a digital signature will be required. The policy also establishes the process for designating transactions that would accept digital signatures and how NIU will implement digital signatures. Until NIU establishes its preferred and approved methods for the use of digital signatures at the University, such contracts or transactions will need handwritten signatures on paper documents.
Ultimately, each Data Trustee will be accountable for selecting the appropriate signature method along with documenting the selection procedure and reasons for selecting a signature method and the Data Steward will be responsible for implementing the appropriate signature method.
Under applicable Illinois law, electronic signatures and digital signatures cannot be used for the following transactions:
However, an electronic transfer of title can be valid if the electronic version is created, stored, and transferred in a manner that allows for the existence of only one unique, identifiable, and unalterable original with the functional attributes of an equivalent physical instrument, that can be possessed by only one person, and which cannot be copied except in a form that is readily identifiable as a copy.
Under the law, external third parties are not required to accept or use electronic signatures in transactions. In those situations, the University and the external third party will need to come to an agreement on the acceptable form of signature on the transaction, or default to handwritten signatures on paper documents.
E-signatures may be implemented using various methodologies depending on the associated risks that may include fraud, non-repudiation, and financial loss. The quality and security of the e-signature method should be commensurate with the risk and any requirements to assure the authenticity of the signer.
Wherever possible, electronic signatures should be implemented. Digital signatures or handwritten signatures should be reserved for circumstances when they are required by law, regulation, or other applicable policy or authority.
Policy Library
815-753-5560
policy-library@niu.edu
Comments
There are no comments to show.